internal audit value optimization for insurance...
TRANSCRIPT
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
Internal audit value optimization for insurance organizations
Webinar May 13, 2015
Agenda and learning objectives
Review the learning objectives Understand what we will cover today and takeaways
Understand the definition of internal audit and explore what “add value” means. Revisit some of the common challenges of adding value.
Discuss the characteristics of an optimizing internal audit department and review the internal audit capability maturity model
Understand the trends in the insurance industry that will transform internal audit's value proposition
Identify how to incorporate leading practices in the short term and over time with a summary of clear action steps.
1
2
3
4
Understanding internal audit and adding value
Importance for insurance organizations
Advancing technology
Regulation
Emerging risks and market opportunities
Growing necessity for business insight and value from internal audit departments
4
Internal audit definition
The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity that adds value to and improves an organization’s operations.
5
Insight Objectivity
Assurance
What does it mean to “add value”
The internal audit activity adds value to the organization (and its stakeholders),[and there is perceived value of contribution] when it provides objective and relative assurance, and contributes to the effectiveness of governance, risk management, and control processes.
6
Too much focus on routine audits
SOX, MAR, compliance
efforts encompassing
majority of plan
Organizational perception as
“company police”
Lack of resources in number and/or in
talent
Challenges to adding value
Politics, “tail wags the dog”
Reduction in internal
audit value
7
Characteristics of an optimizing internal audit activity
8
• CAE and managers are key thought leaders • Continuous learning and process improvement culture
• Defined process to evaluate skill set and training needs • Aligns risk assessment and audit plan with current skill
sets
• Leverage insights and feedback from business unit managers
• Obtains knowledge of trends and emerging risks
• Considers organizations strategic objectives and culture • Advisory on adapting to and maximizing technology trends
• Appropriate visibility with management and board • Provide appropriate recommendations to improve
governance
• Integration of performance data and feedback • Continuous and ongoing quality assurance program
Learning organization
Use of information inside and outside of organization
Critical part of governance and risk management
Top level professional and specialized skills
World class recommendations
Integrated performance measures
Internal audit activity maturity model
9
Initial > Isolated audits > Lack of
established practices
Infrastructure > Compliance
auditing > Individual
professional development
> Audit plan based on management priorities
Integrated > Advisory
services > Workforce
coordination > Risk based audit
plans > Performance
measures
Managed > Assurance on
governance, risk and controls
> Contribution to mgmt development
> Audit strategy leverages ERM
> Advanced performance measures
Optimizing > IA is recognized
as key agent of change
> Leadership in professional organizations
> Strategic IA planning
> Transparency to organization on IA effectiveness
Insurance industry trends and internal audit
implications
Insurance industry trends
11
L&A and health risks > Reputational risks > System transformation and impact > Competition and market share protection / enhancement > Three R estimation
Life
and
ann
uity
1) Predictive analytics
and consumer facing platforms
2) Retiring baby boomers 3) Alternative and
simplified customer distribution
4) Legacy system issues
Hea
lth
1) Premiums rising
2) Individual mandate
3) Risk based premiums
4) Participation in Exchanges
Insurance industry trends
12
P&C risks > Increased use of alternative
investments > Marketing and underwriting
changes > Data integrity, modeling, and
underwriting strategy transformation
Prop
erty
and
ca
sual
ty
> Lower CATS and softening market
> Alternative capital influx
> Customer experience > Pursuit of higher
yield
Cross industry risks > Cyber security readiness > Regulatory compliance and
costs > Data integrity and model risk
Cro
ss in
dust
ry
> Cybersecurity > Regulation adding cost
and complexity • ORSA • Captive oversight • Corporate governance
> Capital management and integration of internal and external models
Industry trends affecting IT
IT and business have fused together to empower each other. Emerging industry trends and regulatory changes have effected IT. 1) Cybersecurity Risk and Regulation
2) Predictive Modeling and Data Analytics
3) Accessibility of information/consumer facing platforms
4) Increased competitive landscape (soft P&C market, health exchange, etc) requiring better customer experience and faster speed to market
13
Information technology (IT) trends
14
Connected Home/Auto
Automated Decision
Engines/Tools
Constant tracking of Data and people
Autonomous Technology
Context-aware security
Predictive modeling and rating
Continual monitoring of
trends
Incompatibility Potential Increased
Lack of legacy Core system
integration
Less in tune with customer
demands
Advances in algorithms
Wearables
Ever changing end points
Less control over device management
Increased cyber security risk
> Change management / system development life cycle (SDLC)
> Access administration and authentication
> Disaster recovery and business continuity planning
> Computer operations and back-up
> Vendor management > IT governance > Data breach and vulnerability
management > Data privacy > Mobile device management
and security > End user computing
Effects on information technology audit plan
15
Focused on core IT general controls
Focused on emerging risks and integration into ERM
Trends in IT have lead internal audit departments to focus more on emerging technologies as risk assessment frameworks dictate.
Sample 2010 IT IA Plan Sample 2015 IT IA Plan
Actuarial implications
Key actuarial risks are emerging as a result of industry trends and regulatory changes.
16
Traditional internal audit • Actuaries are a supplement’ • Engaged to perform routine reviews • Reviews are minimally performed
Optimizing internal audit • specialized skill-set readily available
in the internal audit workforce • Integrated on multiple audits
Regulatory changes • ORSA • Solvency II • Product design and transformation • Data analytics
Key risks • Model • Economic • Pricing • Regulatory
• Financial
statement • Process • Data
Key risks to actuarial function
Enterprise risks Model risk and control > Models must be in compliance with all Actuarial Standards of Practice
(ASOPs) > Appropriateness of the assumptions made in the calculations > Defined and documented process for each periodic review > Back-test the results (actual verses expected analyses) > Transparency of assumptions and limitations to key stakeholders
(communications)
17
Key risks to actuarial function
Enterprise risks (cont.) Economic and pricing risk > Price monitoring system – data reconciliation and frequency of review > Development of pricing assumptions > Treatment of differing characteristics of insured risks > Feedback loop on actual performance compared to pricing objectives Regulatory compliance > Preparation and analysis for new and emerging regulatory changes > Compliance
18
Key risks to actuarial function
Key process risk > Controls on actuarial judgment and
selections > Treatment of data anomalies in the
analysis Key person risk/succession planning > Over-reliance on a few key individuals > Identify, develop and retain talent for key
positions and areas > Planning relating to reorganization,
turnovers, or actuarial student rotations
Reliance on third-party providers Data risk > Accuracy > Completeness > Controls (reconciliation) Other miscellaneous risk > Assumptions > Process around management best
estimates vs. actuarial best estimate
19
Financial statement risks
Value optimization action steps
Value optimization action: Strategy alignment
Align internal audit strategy with organizational strategy. Formalize an internal audit strategic plan that addresses the following: 1) Stakeholder expectations
2) Consideration of changes in the audit plan mix one, three and five years ahead
3) Insurer organization strategies and risk appetite and internal audit implications
4) Resource and talent needs 21
Value optimization action: Resource enhancement
Conduct analyses: > Training analysis
> Skills analysis
> Mapping and gap analysis
Begin the process to fill the gaps > Internal training
> Certification programs
> Co-sourcing / outsourcing
22
Value optimization action: Internal audit branding
Create a stronger internal audit brand > Providing training to departments and business units on the
purpose and value of internal audit
> Provide thought leadership to business units on internal control efficiencies, emerging risks, and industry hot topics
23
Value optimization action: Risk management focus
Ensure the internal audit plan reflects the current state and expected future state. Assess the strategic risks to the organization and discuss where internal audit can add value.
24
Value optimization action: Risk management focus
Considerations for audits and advisory reviews 1) Cyber security –threat and vulnerability management
2) Cloud strategy and governance
3) Customer interaction and experience review
4) Budget and forecasting assessment
5) Vendor governance and risk management review
6) Data analytics effectiveness review
7) Actuarial risk management assessment
8) Product development efficiency and process review
9) Enterprise regulatory and compliance efficiency assessment
25
Value optimization action: Embrace data analytics
Incorporate data analytics to assist in driving the risk assessment process as part of the overall audit plan, as well as part of individual engagements. Model validation and data validation assurance is a key element to include in the overall audit plan.
26
Value optimization action: Be an ERM champion
ERM champion approach allows > Linking from risk to strategy
> Building risk awareness throughout the organization
Be the thought leader > Conduct training to business units
> Facilitate ERM workshops
> Provide education to the board of directors
> Provide updates on emerging risks
27
Value optimization action: Define internal audit success and monitor
Develop key performance indicators (KPI’s) > Best practices implemented
> Business unit cost savings/revenue enhancements identified and realized
> Issues monitored and closed
> Audit survey results
> Subject matter expert utilization and effectiveness
> Training, certification and CPE’s hours obtained
> Emerging risks monitored and reported
28
Value optimization action step summary
Develop/Update the Internal audit
strategy
Training and Skills Analysis
Create a stronger IA brand
Risk management focus
Embrace Data analytics
Be an ERM champion
Define success and monitor
29
Disclosure
The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. © 2015 Baker Tilly Virchow Krause, LLP
30